Amazon's privacy nightmare
The retail giant allegedly put personal information of millions of its customers at risk
In an attempt to speed up customer service and corporate growth, Amazon put the personal information of millions of its users at risk by allowing its workforce to abuse its access to large quantities of customer data. That’s according to a new investigatory report based on internal documents reviewed by Reveal from the Center for Investigative Reporting and WIRED.
This “free-for-all” approach not only exposed the company to malicious internal threat actors, enabling lower-level employees to snoop on customer purchases, accept bribes from sellers to sabotage their competitors, and doctor customer reviews, but also simultaneously made it “inordinately difficult to track where all of Amazon’s data was flowing.”
“Amazon’s vast empire of customer data — its metastasizing record of what you search for, what you buy, what shows you watch, what pills you take, what you say to Alexa and who’s at your front door — had become so sprawling, fragmented and promiscuously shared within the company that the security division couldn’t even map all of it, much less adequately defend its borders,” the report said.
Perhaps of great concern is the repurposing of a program that permitted sellers on the platform to extract their own metrics as “a backdoor for third-party developers to amass Amazon customer data,” with a Chinese analytics firm named TouchData offering a service called AMZReview that abused the tool to harvest personal information of up to 16 million customers in a Cambridge Analytica-like scheme and sell them to other sellers.
In another security gaffe reported by Reveal and WIRED, Amazon was found to have exposed the names and American Express card numbers of nearly 24 million customers on an internal network, outside a “secure zone” for payment data, with no way of knowing if the data was accessed by unauthorized parties because its own logs only go back 90 days.
That’s not all. In a separate report, Reuters discovered that the data amassed by Amazon included “Alexa voice recordings; videos from home-camera systems; personal health data from fitness trackers; data on consumers’ web-searching and buying habits from its e-commerce business,” along with detailed accounts of users’ Kindle e-reader sessions and data pulled from users’ iPhones and other non-Amazon devices.
While the information harvested no doubt goes into personalizing the services offered by the company and serve targeted ads, the lack of transparency and the company’s efforts to actively undermine improved privacy protections that could restrict its collection of biometric and voice data is a sign that strict data regulations are the need of the hour.
What’s trending in security?
🇮🇱 Israel’s Ministry of Defense dramatically restricted the number of countries to which cybersecurity firms in the country are allowed to sell offensive hacking and surveillance tools to, cutting off 65 nations from the export list.
NSO Group, which was already facing stiff headwinds after the U.S. government sanctions, is now the focus of a new lawsuit from Apple that accuses the Israeli company of illegally infecting its devices with Pegasus spyware as part of a long string of reports documenting the use of the surveillance technology to spy on journalists and human rights defenders around the world. [The Hacker News]
🔐 Meta, the parent company of Facebook, Instagram, and WhatsApp, disclosed that it doesn't intend to roll out default end-to-end encryption (E2EE) across all its messaging services until 2023, pushing its original plans by at least a year. [The Hacker News]
🇺🇸 Under a new cybersecurity incident notification rule, banks in the U.S. will be required to notify federal regulators of any cybersecurity incidents within 36 hours of discovering them. The rule takes effect May 1, 2022. [Federal Deposit Insurance Corporation]
🌐 China’s Cyberspace Administration drafted new regulations that would fine entities (and even have their business licences revoked) for helping internet users bypass the “Great Firewall” and access censored information from overseas by providing “programs, tools, routes” or services, including internet access, server hosting, technical support, promotion, app downloads, payment and settlement for “penetrating and bypassing the cross-border data security gateway”, a move that could strengthen the government’s control over the internet. [SCMP / The Record]
💲 In yet another indication that ransomware groups are getting better at changing their tactics on the fly, a group that calls itself Memento Team was found employing an interesting tactic to holding victims’ files hostage for a ransom. Instead of encrypting files, the ransomware used by the actor “copies files into password-protected archives, using a renamed freeware version of the legitimate file utility WinRAR—and then encrypts the password and deletes the original files.” [Sophos]
🔓 A new credential phishing campaign primarily targeting more than 125 high-profile user accounts on TikTok aimed to dupe users into sending their log-in information to the threat actors and lock them out. The campaign resulted in a number of those targeted having their accounts deleted or taken over and their data stolen, researchers reported. [Abnormal Security]
⚠️ At least 300 WordPress sites were defaced with a message claiming that the sites’ data were encrypted in what was a case of fake ransomware attacks. [Sucuri]
🔧 Intel is fixing a vulnerability that unauthorized people with physical access can exploit to install malicious firmware on the chip to defeat a variety of measures, including protections provided by Bitlocker, trusted platform modules, anti-copying restrictions, and others. [Ars Technica]
🛡️ The growing illegal market for zero-day exploits could fuel the rise of exploit-as-a-service model, enabling high-profile ransomware gangs to lay their hands on pricey vulnerabilities. “Exploit-as-a-Service business model that would inevitably lower the barrier for accessing sophisticated exploits,“ researchers said. “This model would allow capable threat actors to ‘lease’ zero-day exploits to other cybercriminals to conduct their attacks. The result? More and more financially motivated threat actors with their hands on dangerous tools.“ [Digital Shadows]
ℹ️ Israel detained a man named Omri Goren Gorochovsky who worked as the personal house cleaner for the country’s Defense Minister Benny Gantz and charged him with leaking his employer’s photos and personal details to a group of Iranian hackers known as Black Shadow. [The Record]
⌚️ The security provided by Apple's Mail Privacy Protection and iCloud Private Relay feature for iPhones, iPads, and Macs is seemingly undermined by a lack of Apple Watch support, security researchers have found.
This is the second time issues have been uncovered in Apple related services. In August 2021, researcher Zemnmez disclosed issues in the Apple ID login process that could be chained to take over an Apple ID. Apple paid Zemnmez $10,000. [MacRumors / Zemnmez]
🚫 Data collected by Microsoft’s network of honeypot servers has revealed that most brute-force attackers primarily attempt to guess short passwords, with very few attacks targeting credentials that are either long or contain complex characters. “77% of attempts used a password between 1 and 7 characters. A password over 10 characters was only seen in 6% of cases,” security researcher Ross Bevington said. [The Record]
🇨🇳 A threat actor called Stardust Chollima, which has suspected links to the North Korean government, has been going after Chinese security researchers in an apparent attempt to steal their hacking techniques and use them as their own. [The Daily Beast]
💬 Canadian entrepreneur Jean-François Eap, CEO of Sky Global, a firm that develops privacy-focused mobile phones with custom software for sending encrypted messages, filed suit against the U.S. government in the Southern District of California. [Vice]
🗄️ The past two weeks in data breaches, leaks, and ransomware: California Pizza Kitchen, Damm, GoDaddy, IKEA, Mahan Air, RedDoorz, Sky, StripChat, Swire Pacific Offshore, Utah Imaging Associates, Vestas, and WSpot.
Tweet of the week
Tips, Comments, Ideas?
Send them my way by writing replying to this email.
Thanks again for reading. See you in the next edition!